xxii
◾
Contents
Overwriting Return Address .......................................................................................... 467
Generating Shellcode ..................................................................................................... 467
Server Hacking .............................................................................................................. 469
Apache Server .................................................................................................................470
Testing for Disabled Functions ..............................................................................470
Open _ basedir
Misconfiguration ...................................................................472
Using
CURL to Bypass
Open _ basedir
Restrictions ......................................474
Open _ basedir
PHP 5.2.9 Bypass ..................................................................475
Reference ........................................................................................................................476
Bypassing
open _ basedir
Using CGI Shell ....................................................476
Bypassing
open _ basedir
Using
Mod _ Perl, Mod _ Python
.............. 477
Escalating Privileges Using Local Root Exploits ............................................................ 477
Back Connecting ........................................................................................................... 477
Finding the Local Root Exploit ......................................................................................478
Usage ..............................................................................................................................478
Finding a Writable Directory ..........................................................................................479
Bypassing Symlinks to Read Configuration Files ........................................................... 480
Who Is Affected? ............................................................................................................481
Basic Syntax ....................................................................................................................481
Why This Works ................................................................................................... 482
Symlink Bypass: Example 1 .................................................................................. 482
Finding the Username .......................................................................................... 482
/etc/passwd
File .................................................................................... 483
/etc/valiases
File ................................................................................ 483
Path Disclosure ............................................................................................ 483
Uploading .htaccess to Follow Symlinks ............................................................... 484
Symlinking the Configuration Files ...................................................................... 484
Connecting to and Manipulating the Database ............................................................. 485
Updating the Password .................................................................................................. 486
Symlink the Root Directory ................................................................................. 486
Example 3: Compromising WHMCS Server ........................................................ 487
Finding a WHMCS Server ............................................................................................ 487
Symlinking the Configuration File ................................................................................ 488
WHMCS Killer .................................................................................................... 488
Disabling Security Mechanisms ............................................................................ 490
Disabling
Mod _ Security
.............................................................................. 490
Disabling
Open _ basedir
and
Safe _ mode
........................................... 490
Using CGI, PERL, or Python Shell to Bypass Symlinks ........................................491
Conclusion ......................................................................................................................491